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Chairman Johnson, Ranking Member McCaskill, and members of the Committee, thank 
you for the opportunity to testify before you today. The Department of Homeland Security 
(DHS) serves a critical role in safeguarding and securing cyberspace, a core homeland security 
mission. The National Protection and Programs Directorate (NPPD) at DHS leads the Nation’s 
efforts to ensure the security and resilience of our cyber and physical infrastructure. Last month, 
this Committee reported favorably on H.R. 2825, the Department of Homeland Security 
Authorization Act (as amended). This bill includes the language from H.R. 3359, the 
Cybersecurity and Infrastructure Security Agency Act of 201 7. If enacted, this language would 
mature and streamline NPPD and rename our organization to reflect clearly our essential mission 
and our role in securing cyberspace. The Administration strongly supports establishing the 
Cybersecurity and Infrastructure Security Agency within DHS, and we will continue working 
with this Committee and the rest of the Senate to get the necessary legislation enacted. 

NPPD is responsible for protecting civilian Federal government networks and 
collaborating with other Federal agencies, as well as State, local, tribal, and territorial 
governments, and the private sector to defend against cyber threats. We endeavor to enhance 
cyber threat information-sharing across the globe to stop cyber incidents before they start and 
help businesses and government agencies to protect their cyber systems and quickly recover 
should such an attack occur. By bringing together all levels of government, the private sector, 
international partners, and the public, we are taking action to protect against cybersecurity risks, 
improve our whole-of-government incident response capabilities, enhance information sharing of 
best practices and cyber threats, and to strengthen resilience. 

Threats 

Cyber threats remain one of the most significant strategic risks for the United States, 
threatening our national security, economic prosperity, and public health and safety. Malicious 
cyber activity causes impacts to infrastructure across both the virtual and physical domains. We 
have recently experienced a turning point in the cyber domain, at least in the public 
consciousness. We have long been confronted with myriad attacks against our digital networks. 
Americans have seen advanced persistent threat actors, including hackers, cyber criminals, and 
nation states, increase the frequency and sophistication of these attacks. Our adversaries have 
been developing and using advanced cyber capabilities to undermine critical infrastructure, target 
our livelihoods and innovation, steal our national security secrets, and threaten our democracy. 

Global cyber incidents, such as the “WannaCry” ransomware incident and the 
“NotPetya” malware incident in May and June 2017, respectively, are examples of malicious 
actors leveraging cyberspace to create disruptive effects and cause economic loss. These 
incidents exploited known vulnerabilities in software commonly used across the globe. Prior to 
these events, NPPD had already taken actions to help protect networks from similar types of 
attacks. Through requested vulnerability scanning, NPPD helped stakeholders identify 
vulnerabilities on their networks so they could be patched before incidents and attacks occur. 
Recognizing that not all users are able to install patches immediately, NPPD shared additional 
mitigation guidance to assist network defenders. As the incidents unfolded, NPPD led the 
Federal government’s incident response efforts, working with our interagency partners, including 
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providing situational awareness, information sharing, malware analysis, and teehnieal assistanee 
to affeeted entities. 

In a series of ineidents sinee at least May of last year, working with U.S. and 
international partners, DHS and FBI have identified Russian government aetors targeting 
government entities and businesses in the energy, nuclear, water, aviation, and critical 
manufacturing sectors. DHS assesses that this campaign ultimately collected information 
pertaining to industrial control systems with the intent to gain access to industrial control systems 
environments. The intrusions have targeted two distinct categories of victims: staging and 
intended targets. In other words, through the Department’s incident response actions, we have 
observed this advanced persistent threat actor target certain entities that then become pivot 
points, leveraging existing relationships between the initial victim and the intended targets to 
hide their activity, as part of a multi-stage intrusion campaign to gain access to networks of 
major, high-value assets that operate components of our Nation’s critical infrastructure. Based 
on our analysis and observed indicators of compromise, DHS has confidence that this campaign 
is still ongoing, and threat actors are actively pursuing their ultimate long-term campaign 
objectives. DHS and the FBI continue to conduct incident response related to this activity and 
have published a joint technical alert to enable network defenders to identify and take action to 
reduce exposure to this malicious activity. 

Cybersecurity Priorities 

This Administration has prioritized protecting and defending our public and economic 
safety from the range of threats that exist today, including those emanating from cyberspace. 

Last year, the President signed Executive Order 13800, Strengthening the Cybersecurity of 
Federal Networks and Critical Infrastructure. This Executive Order set in motion a series of 
assessments and deliverables to understand how to improve our defenses and lower our risk to 
cyber threats. This order also emphasized the importance of accountability-clarifying that 
department and agency heads are responsible and will be held accountable for the security of 
their networks and systems. NPPD plays an important role in providing capabilities, services, 
and direction to Eederal agencies. 

Across the Eederal Government, agencies have been implementing action plans to use the 
industry-standard National Institute of Standards and Technology (NIST) Cybersecurity 
Eramework. Agencies are reporting to DHS and the Office of Management and Budget (0MB) 
on their cybersecurity risk mitigation and acceptance choices. In coordination with 0MB, DHS 
is evaluating the totality of these Agency reports in order to comprehensively assess the 
adequacy of the Eederal Government’s overall cybersecurity risk management posture. 

Although Eederal agencies have primary responsibility for their own cybersecurity, DHS 
provides a common set of security tools that helps agencies manage their cyber risk. NPPD’s 
assistance to Eederal agencies includes (1) providing tools to safeguard civilian executive branch 
networks through the National Cybersecurity Protection System (NCPS), which includes 
“EINSTEIN” and Continuous Diagnostics and Mitigation (CDM) programs, (2) measuring and 
motivating agencies to implement policies, directives, standards, and guidelines, (3) serving as a 
hub for information sharing and incident reporting, and (4) providing operational and technical 
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assistance, including threat information dissemination and risk and vulnerability assessments, as 
well as incident response services. NPPD’s National Cybersecurity and Communications 
Integration Center (NCCIC) is the civilian government’s hub for cybersecurity information 
sharing, asset incident response, and coordination for both critical infrastructure and the Federal 
government. 

EINSTEIN refers to the Eederal Government’s suite of signature-based intrusion 
detection and prevention capabilities that protects agencies’ unclassified networks at the 
perimeter of each agency. EINSTEIN provides situational awareness of civilian executive 
branch network traffic, so threats detected at one agency are shared with all others providing 
agencies with information and capabilities to more effectively manage their cyber risk. The 
Eederal Government could not achieve such situational awareness through individual agency 
efforts alone. 

Moving forward, leveraging existing investments, our non-signature based pilot efforts to 
move beyond current reliance on signatures are yielding positive results in the discovery of 
previously unidentified malicious activity. DHS is demonstrating the ability to capture data that 
can be rapidly analyzed for anomalous activity using technologies from commercial, 
government, and open sources. The pilot efforts are also defining the future operational needs 
for tactics, techniques, and procedures as well as the skill sets and personnel required to 
operationalize the non-signature based approach to cybersecurity. 

State, local, tribal, and territorial governments are able to access intrusion detection and 
analysis services through the Multi-State Information Sharing and Analysis Center (MS-ISAC). 
MS-ISAC’s service, called “Albert,” closely resembles some EINSTEIN capabilities. While the 
current version of Albert cannot actively block known cyber threats, it does alert cybersecurity 
officials to an issue for further investigation. DHS worked closely with MS-ISAC to develop the 
program and considers MS-ISAC to be a principal conduit for sharing cybersecurity information 
with state and local governments. 

EINSTEIN, the Eederal Government’s tool to address perimeter security, will not block 
every threat; therefore, it must be complemented with systems and tools working inside agency 
networks—as effective cybersecurity risk management requires a defense-in-depth strategy that 
cannot be achieved through only one type of tool. CDM program provides cybersecurity tools 
and integration services to all participating agencies to enable them to improve their respective 
security postures by reducing the attack surface of their networks as well as providing DHS with 
enterprise-wide visibility through a common federal dashboard. 

CDM is helping us achieve two major advances for federal cybersecurity. Eirst, agencies 
are gaining visibility, often for the first time, into the extent of cybersecurity risks across their 
entire network. With enhanced visibility, they can prioritize the mitigation of identified issues 
based upon their relative importance. Second, with the summary-level agency-to-federal 
dashboard feeds, the NCCIC will be able to identify systemic risks across the civilian executive 
branch more effectively and closer to real-time. Eor example, the NCCIC currently tracks 
government-wide progress in implementing critical patches via agency self-reporting and manual 
data calls. CDM will transform this, enabling the NCCIC to immediately view the prevalence of 
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a given software produet or vulnerability across the federal government so that the NCCIC can 
provide agencies with timely guidance on their risk exposure and recommended mitigation steps. 
Effective cybersecurity requires a robust measurement regime, and robust measurement requires 
valid and timely data. CDM will provide this baseline of cybersecurity risk data to drive 
improvement across the civilian executive branch. 

DHS conducts a number of activities to measure agencies’ cybersecurity practices and 
works with agencies to improve risk management practices. The Federal Information Security 
Modernization Act of 2014 (FISMA) provided the Secretary of Homeland Security with the 
authority to develop and oversee implementation of Binding Operational Directives (BOD) to 
agencies. In 2016, the Secretary issued a BOD on securing High Value Assets, or those assets, 
federal information systems, information, and data for which unauthorized access, use, 
disclosure, disruption, modification, or destruction could cause a significant impact to U.S. 
national security interests, foreign relations, the economy, or to the public confidence, civil 
liberties, or public health and safety of the American people. NPPD works with interagency 
partners to prioritize High Value Assets for assessment and remediation activities across the 
federal government. For instance, NPPD conducts security architecture reviews on these High 
Value Assets to help agencies assess their network architecture and configurations. 

As part of the effort to secure High Value Assets, DHS conducts in-depth vulnerability 
assessments of prioritized agency assets to determine how an adversary could penetrate a system, 
move around an agency’s network to access sensitive data, and exfiltrate such data without being 
detected. These assessments include services such as penetration testing, wireless security 
analysis, and “phishing” evaluations in which DHS hackers send emails to agency personnel and 
test whether recipients click on potentially malicious links. DHS has focused these assessments 
on federal systems that may be of particular interest to adversaries or support uniquely 
significant data or services. These assessments provide system owners with recommendations to 
address identified vulnerabilities. DHS provides these same assessments, on a voluntary basis 
upon request, to private sector and State, local. Territorial, and Tribal partners. DHS also works 
with the General Services Administration to ensure that contractors can provide assessments that 
align with our HVA initiative to agencies. 

Another BOD issued by the Secretary directs civilian agencies to promptly patch known 
vulnerabilities on their Internet-facing systems that are most at risk from their exposure. The 
NCCIC conducts cyber hygiene scans to identify vulnerabilities in agencies’ internet-accessible 
devices and provides mitigation recommendations. Agencies have responded quickly in 
implementing the Secretary’s BOD and have sustained this progress. When the Secretary issued 
this directive, NPPD identified more than 360 “stale” critical vulnerabilities across federal 
civilian agencies, which means the vulnerabilities had been known for at least 30 days and 
remained unpatched. Since December 2015, NPPD has identified an average of less than 40 
critical vulnerabilities at any given time, and agencies have addressed those vulnerabilities 
rapidly once they were identified. By conducting vulnerability assessments and security 
architecture reviews, NPPD is helping agencies find and fix vulnerabilities and secure their 
networks before an incident occurs. 
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In addition to efforts to protect government networks, Executive Order 13800 continues 
to examine how the government and industry work together to protect our nation’s critical 
infrastructure, prioritizing deeper, more collaborative public-private partnerships in threat 
assessment, detection, protection, and mitigation. In collaboration with civilian, defense, and 
intelligence agencies, we are identifying authorities and capabilities that agencies could employ, 
soliciting input from the private sector, and developing recommendations to support the 
cybersecurity efforts of those critical infrastructure entities at greatest risk of attacks that could 
result in catastrophic impacts. DHS coordinates closely with the Sector Specific Agencies across 
all 16 critical infrastructure sectors by leveraging their sector expertise to improve cybersecurity 
resiliency and risk management. 

For instance, by sharing information quickly and widely, we help all partners block cyber 
threats before damaging incidents occur. Equally important, the information we receive from 
partners helps us identify emerging risks and develop effective protective measures. 

Congress authorized the NCCIC as the civilian hub for sharing cyber threat indicators 
and defensive measures with and among federal and non-federal entities, including the private 
sector. As required by the Cybersecurity Act of 2015, we established a capability, known as 
Automated Indicator Sharing (AIS), to automate our sharing of cyber threat indicators in real¬ 
time. AIS protects the privacy and civil liberties of individuals by narrowly tailoring the 
information shared to that which is necessary to characterize identified cyber threats, consistent 
with longstanding DHS policy and the requirements of the Act. AIS is a part of the Department’s 
effort to create an environment in which as soon as a company or federal agency observes an 
attempted compromise, the indicator is shared in real time with all of our partners, enabling them 
to protect themselves from that particular threat. This real-time sharing capability can limit the 
scalability of many attack techniques, thereby increasing the costs for adversaries and reducing 
the impact of malicious cyber activity. An ecosystem built around automated sharing and 
network defense-in-depth should enable organizations to detect and thwart the most common 
cyber-attacks, freeing their cybersecurity staff to concentrate on the novel and sophisticated 
attacks. More than 129 agencies and private sector partners have connected to the AIS 
capability. Notably, partners such as information sharing and analysis organizations and 
computer emergency response teams further share with or protect their customers and 
stakeholders, significantly expanding the impact of this capability. AIS is still a new capability 
and we expect the volume of threat indicators shared through this system to substantially 
increase as the technical standards, software, and hardware supporting the system continue to be 
refined and put into full production. This information sharing environment will become more 
robust and effective as more indicators are shared from other federal agencies; State, local. 
Territorial, and Tribal governments; and the private sector. 

Another part of the Department’s overall information sharing effort is to provide federal 
network defenders with the necessary context regarding cyber threats to prioritize their efforts 
and inform their decision making. DHS’s Office of Intelligence and Analysis has collocated 
analysts within the NCCIC responsible for continuously assessing the specific threats to federal 
networks using traditional all source methods and indicators of malicious activity so that the 
NCCIC can share with federal network defenders. Analysts and personnel from the Departments 
of Energy, the Treasury, Health and Human Services, and Defense join the FBI and others who 
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are also collocated within the NCCIC and working together to understand the threats and share 
information with their sector stakeholders, pursuant to NPPD policies that provide appropriate 
privacy, civil liberties and confidentiality protections. 

Mitigating Cyber Risks 

We continue to adapt to the evolving risks to critical infrastructure, and prioritize our 
services to mitigate those risks. For instance, the Department recently took action regarding 
specific products which present a risk to federal information systems. 

After careful consideration of available information and consultation with interagency 
partners, BOD 17-01 was issued that directed Federal Executive Branch departments and 
agencies to take actions related to the use or presence of information security products, solutions, 
and services supplied directly or indirectly by AO Kaspersky Lab or related entities. The BOD 
called on departments and agencies to identify any use or presence of Kaspersky products on 
their information systems in the next 30 days, to develop detailed plans to remove and 
discontinue present and future use of the products within 60 days, and at 90 days from the date of 
the directive, unless directed otherwise by DHS based on new information, to begin to 
implement the agency plans to discontinue use and remove the products from federal information 
systems. This action is based on the information security risks presented by the use of Kaspersky 
products on federal IT systems. 

The Department provided an opportunity for Kaspersky to submit a written response 
addressing the Department’s concerns or to mitigate those concerns, and Kaspersky submitted a 
written response. The Department wanted to ensure that the company had a full opportunity to 
provide any evidence, materials, or data that may be relevant. This opportunity was also 
available to any other entity that claimed its commercial interests will be directly impacted by 
the directive. 

While the information and communications technology supply chain is not the source of 
all cyber risk, it presents an opportunity for creation of threats and vulnerabilities. Commercial 
technology is ubiquitous in federal networks, even those that handle the most sensitive 
information and support essential functions of the government. DHS—through its work with the 
Department of Defense and the intelligence community to identify key supply chain risks—has 
established a Cyber Supply Chain Risk Management initiative. Due to the increasing 
connectivity of the world and the growing sophistication of threats, this initiative will identify 
and mitigate supply chain threats and vulnerabilities related to High Value Assets. 

Election Security 

NPPD is committed to ensuring a coordinated response from DHS and its federal partners 
to plan for, prepare for, and mitigate risk to election infrastructure. We understand that working 
with election infrastructure stakeholders is essential to ensuring a more secure election. Based on 
our assessment of activity observed in the 2016 elections, NPPD and our stakeholders are 
increasing awareness of potential vulnerabilities and providing capabilities to enhance the 
security of U.S. election infrastructure as well as that of our democratic allies. 
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As mentioned before, under the Constitution and our system of laws, federal elections are 
administered by state and local election officials in thousands of jurisdictions. Security 
awareness for election officials did not begin in 2016, State and local election officials across the 
country have a long-standing history of working both individually and collectively to reduce 
risks and ensure the integrity of their elections. In partnering with these officials through both 
new and existing, ongoing engagements, NPPD is working to provide value-added-yet 
voluntary-services to support their efforts to secure elections. 

This year our Nation is in the midst of primary and special elections as well as the 
general election in November. We have been working with election officials in all states to 
enhance the security of their elections by offering support and by establishing essential lines of 
communications at all levels-public and private-for reporting both suspicious cyber activity and 
incidents. This information sharing is critical and our goal is to enhance transparency and have 
visibility of aggregated elections-related cybersecurity efforts. We are also working with election 
officials, vendors, the Election Assistance Commission (EAC), and NIST to characterize risk to 
election systems and ensure appropriate mitigations are understood and available in the 
marketplace. As a part of this process, we work with these stakeholders to recommend best 
practices to ensure a secure and verifiable vote. 

Over the course of the last year, DHS has made tremendous strides and has been 
committed to working collaboratively with those on the front lines of administering our 
elections—state and local election officials and the vendor community—to secure election 
infrastructure from risks. The establishment of government and sector coordinating councils will 
build the foundations for this enduring partnership not only in 2018, but for future elections as 
well. We will remain transparent as well as agile in combating and securing our physical and 
cyber infrastructure. However, we recognize that there is a significant technology deficit across 
State and local governments, and State and local election systems, in particular. It will take 
significant and continual investment to ensure that systems are upgraded and secure or 
vulnerable systems are retired. 

We recognize the fundamental link between public trust in our election 
infrastructure and the confidence the American public places in basic democratic functions. 
Ensuring the security of our electoral process is a vital national interest and one of our highest 
priorities at DHS. Our voting infrastructure is diverse, subject to local control, and has many 
checks and balances. As the threat environment evolves, DHS will continue to work with federal 
agencies, state and local partners, and private sector entities to enhance our understanding of the 
threat; and to make essential physical and cybersecurity tools and resources available to the 
public and private sectors to increase security and resiliency. 

Conclusion 

In the face of increasingly sophisticated threats, NPPD stands on the front lines of the 
federal government’s efforts to defend our nation’s critical infrastructure from natural disasters, 
terrorism and adversarial threats, and technological risk such as those caused by cyber threats. 
Our infrastructure environment today is complex and dynamic with interdependencies that add to 
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the challenge of securing and making it more resilient. Technological advances have introduced 
the “Internet of Things” and cloud computing, offering increased access and streamlined 
efficiencies, while increasing our footprint of access points that could be leveraged by 
adversaries to gain unauthorized access to networks. As our nation continues to evolve and new 
threats emerge, we must integrate cyber and physical risk in order to understand how to 
effectively secure it. Expertise around cyber-physical risk and cross-sector critical infrastructure 
interdependencies is where NPPD brings unique expertise and capabilities. 

We must ensure that NPPD is appropriately organized to address cybersecurity threats 
both now and in the future, and we appreciate this Committee’s leadership in working to 
establish the Cybersecurity and Infrastructure Security Agency. As the Committee considers 
these issues, we are committed to working with Congress to ensure that this effort is done in a 
way that cultivates a safer, more secure and resilient Homeland. 

Thank you for the opportunity to testify, and I look forward to any questions you may 

have. 
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